Beruflich Dokumente
Kultur Dokumente
10101001010010010100101010010101
Whitepaper
110010010101010010101
101001010010010100101010010101
1110010010101010010101
101001010010010100101010010101
10101010100001010010101011100
010101001010010010100101010010101
1110010010101010010101
Analytics – Revolutionizing
010101010100001010010101011100
10101001010010010100101010010101
DLP Incident Response
0010101010100001010010101011100 AN OVERVIEW OF DLP INCIDENT RISK RANKING
Integrated Security
010101001010010010100101010010101
Introduction
Security systems generate a large number of alerts, but only The results of the research is an integrated security analytics
a small subset of them represent critical risks to high value system tuned for a DLP data set that enables security
business data. operations teams to be more responsive and effective with
fewer resources.
Noise – whether it comes from personal communication, broken
business processes or false positives – makes the task of In this whitepaper, we’ll provide an overview of the techniques
identifying genuine data theft risks challenging, even for well- applied and the challenges addressed by the security analytics
resourced security operations teams. system and its new Incident Risk Ranking feature.
www.forcepoint.com 2
Integrated Security Analytics - Revolutionizing DLP Incident Response
Overview
Incident Risk Ranking uses the new security analytics system to
identify the deliberate exfiltration of critical data and other high risk
data activity scenarios. At a high level it:
The end result of this process is the Incident Risk Ranking report,
which presents a stack ranked list of the top 10-20 data theft risk
cases for the previous 24 hours, ready for investigation.
www.forcepoint.com 3
Integrated Security Analytics - Revolutionizing DLP Incident Response
Quantifying Risk
Each person has an intuitive notion regarding risk, but assigning In order to assess the risk, we also need to assess the
a meaningful and consistent risk metric is difficult. Although probabilities of the various possible scenario classes:
some clear, high-risk cases are easy to discern—such as a file
with thousands of credit card numbers that was sent in the `` Was it deliberate data theft? In this case, the impact can
middle of the night to a dubious destination by an employee be very large and there is an urgent need to address
with a poor record—it’s much harder to decide about cases with the problem.
an ambiguous data classification or incidents within the “gray
area.” These can stem from an employee’s mistake, broken `` Was it a broken business process, where information is
business processes or from sophisticated insiders who attempt exchanged in a non-secure manner? In this case, the risk is
to make their activity look “normal.” enduring and requires systematic, yet not urgent, action.
Systematic approaches to risk quantification and management `` Or was it was a one-time mistake?
were first developed in the insurance industry and were based
on the expectation value of the loss. Broadly speaking, this can On the other hand, false positives and events of low importance,
be expressed as: such as personal communication, also have costs associated
with the time and attention that was diverted for their analyses,
Risk = (Probability of “bad” events)•(Amount of loss associated with as well as the resulting opportunity costs associated with
the events) missing high-impact events. That’s why it’s so important to be
able to identify superfluous incidents whenever possible
To this day, insurance underwriting is still based on this
basic formula, which is also widely used for quantifying other In order to assess the probabilities, our researchers have
risks, and is, by and large, the benchmark for risk quantification. developed an advanced tool based on a technology called
Bayesian Belief Networks, that utilizes a spectrum of
The intimate acquaintance of content-aware DLP with sensitive observables and indicators to assess the plausibility of various
content, whether it’s intellectual property or regulated data scenarios by combining DLP domain expert knowledge, deep
sets, allows the system to assess the potential damages or learning techniques and statistical inference.
losses associated with cases in which a certain type of content is
stolen or otherwise exposed. The key to Bayesian Belief Networks is the ability to see
behind the single alert or incident. Before assessing the risks,
In general, the impact can be assessed using the classification the system first correlates related incidents into cases that
and the size of the exposed data: an incident with a single aggregate various incidents based on key attributes such as
credit card number is much less severe than an incident with the source, destination and data types, as well as more subtle
a hundred credit card numbers, which is yet less severe patterns that take into account various similarity measures
than stealing credentials for a database with millions of between incidents.
sensitive records.
www.forcepoint.com 4
Integrated Security Analytics - Revolutionizing DLP Incident Response
Suspected
Suspected
User Group Unintentional
User
(e.g. “On Notice”)
False
Sensitive Suspected Positives
Data Destination
Suspected Likely To
Disposition Leave
AP-DATA AP-WEB
Prior Baselines
Indicators Indicators
Observable #1:
Observable #1: Suspected
Observable #2 Send his own Observable #2
Disgruntled Behavior (Other)
CV (Resume)
Observable #1 Observable #2
www.forcepoint.com 5
Integrated Security Analytics - Revolutionizing DLP Incident Response
The risk for the case is evaluated by first assessing the total
impact of all the incidents in the case and the probabilities
for various scenarios (data theft case, false positive, etc.). The
following card summarizes a case with 50 incidents involving
credit card data:
www.forcepoint.com 6
Integrated Security Analytics - Revolutionizing DLP Incident Response
`` Statistical methods
`` Deviations from baselines
`` Prior information about the precision of the classifiers and
rules in the various DLP sensitivity levels (“Wide”, “Default”
and “Narrow)
www.forcepoint.com 7
Integrated Security Analytics - Revolutionizing DLP Incident Response
Conclusion
By combining a Bayesian network-based expert system,
machine learning and behavioral baseline analysis, Incident
Risk Ranking delivers a new, systematic approach to risk
quantification and management for DLP incident data sets.
It enables security operations teams to identify and respond
rapidly to high-risk interactions with business critical data sets.
If you would like to find out more about how integrated security
analytics can transform your data security program, register
interest via this webpage:
www.forcepoint.com/DLPIncidentRiskRanking